The Panera Bread incident is a classic example of how to NOT handle a security breach, and there are definitely lessons other companies can learn from Panera Bread’s catalogue of mistakes.
However, I was disappointed to see so many wise security owls, on social media or their personal blogs, hooting over the fact that one of the Panera Bread security staff involved in the story used to work at Equifax.
Yes, that Equifax. The one which was revealed to have been hacked last year, putting the details of hundreds of millions of consumers at risk.
It’s pretty ugly to beat up a particular named individual (I’ve redacted his name above) because a company he used to work at had a serious security breach four years later.
In fact, I feel it’s pretty lousy to race to blame Panera Bread’s IT security team at all.
Are we really sure of the facts? Can we say with confidence that it’s them who are ultimately to blame for the hapless response to a serious security failing?
Or might there be some fault higher up in the company, which may not have given the IT security team the resources and wherewithal to determine where their efforts are best placed and fix what is so clearly broken?
All I’m saying is this: It’s not always easy to be the guy responsible for securing a company, but it’s pretty simple to pillory someone without knowing all the facts.
To hear further discussion of the Panera Bread security breach, check out this episode of the “Smashing Security” podcast.
Smashing Security #072: 'Why are firms so cr*p with our private data?'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
In my experience, and by "experience" I mean "Having gone through this exact same thing" a couple of times, it wasn't the security team who made the call to not disclose the breach in violation of PCI/DSS rules. It was short-sighted upper management who didn't want to admit that there was a breach unless forced to. The same upper management who overruled the security team's recommendation to not take this site live in the first place due to massive security vulnerabilities.
IT security effectiveness is conversely proportionate to the pointyness of the hair above them.
Krebs on Security have run this story, having investigated it, and the accounts on Twitter mentioned the above LinkedIn profile. According to the evidence presented there, the former Equifax employee was personally aware of the problems in the summer of last year.
Quite likely, if he's any good at his job. But I've been handed all kinds of reasons from upper management for not fixing a vulnerability. All of them boiling down to "It's not really a problem, so we're not going to bother".
Fact is, we don't know how he handled things internally. All we know is how the company handled things publicly.
I can see a number of issues with this case.
Firstly, the PR exercise about disclosing the breach.
Secondly, what they did to fix the breach.
The disclosed emails in the report show he stated they were fixing the issue, but that issue then remained unfixed for months. So, he's left in a situation where what he said to a member of the public wasn't followed through.
Also, this was more than just a vulnerability. This was a realisation of the threat of information leakage, a breach of PCI/DSS. Regardless of what naïve upper management say to him at that point, it could be argued he is sufficiently senior to have take control of that realisation and fix it.
While you're right, I've rarely found reality to be as clean.
"The disclosed emails in the report show he stated they were fixing the issue, but that issue then remained unfixed for months."
Ever tried to get a fix through a change control board packed with people who are just not interested in approving a change? Or possibly worse, multiple levels of CCBs because the fix is determined to affect multiple departments, all of whom have to sign off to pass the change, and half of whom won't bother. I obviously don't know if that was the case, but I've seen more CCBs run like this than not.
"Regardless of what naïve upper management say to him at that point, it could be argued he is sufficiently senior to have take control of that realisation and fix it."
Naïve isn't the problem. Outright refusing to handle the situation is. I've seen security directors told to cover up breaches like this, I've seen security directors fired for not agreeing with that, and I've seen security directors leave because of coverups like this.
This guy could very well be utterly incompetent or a victim of really, really bad upper management. You could say that he should have risked his job to disclose the breach, but unemployment is a scary thing. Hindsight says he probably should have, but that's hindsight for you. Comes down to the fact that incompetence and caught in a bad situation can look about the same.
Now, if he hits a trifecta…
The back and forth emails seem to have gone on for something like 8 months. So, the Director of Security in question certainly did know of the breach. However, I don't think his knowledge of the breach is the question. Nor does it force the IT team to prioritize patching the breach. To Graham's point, he may have brought all the facts to executive attention but their ultimate decision was to hush it up. That's actually more likely the case.
Yet, there would be more that could have been done. If nothing more than a CYA move, hiring an outside security firm to report on the findings would at least idemnify the internal security team. I do know that if I had been on that team and not made any traction with reporting a breach of this magnitude, I would not have stuck around waiting for the smoking volcano to blow.
Definitely agree with your last point. Key to being a high ranking security professional is the ability to influence senior management and get them to make decisions that maintain a good security culture.
Nevermind. Disregard all attempts to give this guy the benefit of the doubt.
https://arstechnica.com/information-technology/2018/04/panera-accused-security-researcher-of-scam-when-he-reported-a-major-flaw/
Wtf? He actually wasn't just emailing back and forth for 8 months but received actionable proof of the security flaw early on. He did precisely shit with it.
Graham,
I agree with the thrust of your story here, but you failed to mention one very relevant fact: In my piece, I noted that the researcher who reported the breach to Panera in August 2017 communicated directly with the person whose LinkedIn CV you picture above. That person said Panera was going to fix it, and then they didn't. Not until the researcher came to me in hopes of getting Panera to finally address the issue. Which they did without apparently much trouble shortly after my story went live.
I'd say that speaks volumes about that person's qualifications for the job of the person in charge of security at Panera.
While it may not be his personal fault, it does not mean he is not responsible for ensuring the problem is fixed one way or the other. He may be employed to advise the higher ups, and he may have tried that this is a grave issue and must be fixed.
Again, may be he did, but if I were in that position, I would resign as you are clearly not being treated as a director and you can be damn sure they’ll pin the responsibility on you when it goes tits up.